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MEMORANDUM 


United States Department of Stale 

l^shington, D. c. 20520 LOGGED 

2 7 SEP 1985 


September 26, 1985 


TO: 


FROM: 


SUBJECT: 


Vice Admiral E.R. Burkhalter Jr. 
Director 

Intelligence Community Staff 





Lynn McNui 
Director 

Information Systems Security Office 

Status Report on Planned Security Enhancements 
for the INR Information Handling System 


This memorandum is in response to the IC staff request 
for information on the Department's planned used of Fy-86 
COMPUSEC funds to correct security deficiencies identified 
during the review of the INR Information Handling System. 

By the end of Fiscal Year 1986, I am confident that 
the Department of State will be in substantial compliance 
with the DCI's security requirements for Critical 
Systems. This will be directly attributable to the 
infusion of COMPUSEC resources that will be applied to 
correct identified security deficiencies; as well as 
providing the ability to accomplish security planning for 
INR's long term information system requirements. 

The Department’s plan for implementing the COMPUSEC 
requirements are discussed in the following paragraphs. 

The attachment to this memorandum contains an enumeration 
of how the COMPUSEC funds will be allocated to correct 
security deficiencies for the INR system. You will note 
that the priority for the utilization of COMPUSEC 
resources has been allocated to correcting security 
deficiencies for the existing INR system. 

1. Termination of the link between the INR System 
and the IBM system . Agreement between all 
elements of the Department, as well as with the 
IC Staff, has been reached on how to effect the 
disconnect. A project staff is being assembled. 

To begin writing the software required to index 
CIA and NSA intelligence reports on the existing 
INR system. The PY-85 funds provided by the IC 
Staff will permit the completion of this phase of 
the disconnect project. It is anticipated that 
this project will be accomplished not later than 
March 31. 1986 . 
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2... > .gecurity Upgrade of the Central Processing 
Units « The implementation of the approved 
■ disconnect solution will result in a temporary 
reduction of functionality available to INR 
analysts. To correct this loss of capability it 
will be necessary to upgrade the INR computer 
systems. The ISS re-accreditation study, 
currently underway, indicates that the INR system 
is operating in a Compartmented mode, not a 
System High mode. The Compartmented mode more 
closely reflects the true INR operating 
environment. Therefore, the next INR computer 
system must possess the security capabilities to 
support this mode of operation. COMPUSEC funds 
will be spent to enable INR to utilize DEC VAX 
11/785 systems. The VAX operating system, VMS, 
is being enhanced to meet the Trusted Computer 
System Criteria. The conversion from PDP 11/70 
to VAX 11/785 systems will enable the Department 
to utilize an operating system with greater 
security controls. It will also permit the 
Department to take advantage of all future 
enhancements made to the VMS operating system as 
a result of dec's continuing relationship with 
the DOD Computer Security Center. The figures 
provided in the attachment for this element 
include VAX specific training for Departmental 
personnel . 

3 . Security Re-accreditation of the Existing INR 
System . The Department's computer security 
element, the Information Systems Security Office 
(ISS) is currently conducting a re-accreditation 
study of the existing INR system. This effort 
will also include a security test, analysis, and 
evaluation of the reconfigured INR system. The 
lack of a currently valid accreditation, as 
required by the DCI's computer security 
directive, was one of the major deficiencies 
cited by the COMPUSEC reports. We plan to obtain 
the necessary consultant support to finish the 
project early in the second quarter of FY-86 
(using FY-86 COMPUSEC resources). The results of 
this study will be submitted to the Director of 
INR for accreditation action to bring the 
Department into compliance with the annual 
accreditation requirement specified in the 
Critical System Supplement to DCID 1/16. 
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4 . Security Upgrade of the Departmental Computer 
Facility Housing the INR computer system . Using 
FY-86 COMPUSEC resources various physical and 
procedural security enhancement will be 
implemented to meet the recommendations of the 
COMPUSEC Report and the ISS re-accreditation 
study. These improvements will strengthen access 
controls to the INR portion of the computer room. 

5 . Development of Short Term and Long Term Security 
Plans . Contractor assistance will be utilized to 
develop short term and long term INR ADP security 
plans. The short term plan will cover the 
1985-87 INR computer environment. The long term 
plan will provide the security framework for the 
future INR major system upgrade tasks projected 
for 1988. 

6 . Enhanced Security Management for the INR System 
and the Department's Central Computer Facility. 
Using the additional staff resources provided by 
the COMPUSEC supplemental, the Information 
Systems Security Office will establish an 
aggressive security management program for the 
INR system and the Department's computer facility 
which houses the INR computer equipment. This 
will include a daily review of audit trail 
information, improved password management, and 
enhanced monitoring of personnel access controls 
to the INR computer complex. 

7 . Procurement of Microcomputer Security Enhancement 
Devices . INR will use TEMPEST approved 
microcomputers as attached workstations to their 
dedicated computer system. These microcomputers 
will be retrofitted with supplemental security 
devices, probably a board that incorporates a 
higher level encryption capability. These 
devices will enhance the protection of SCI 
material in the analyst areas of INR. 

8 . Development of a Security Education Module for 
Users and Operators of the INR System . The 
Department's Information Systems Security Office 
will undertake to develop innovative and 
state-of-the-art security education modules for 
all personnel involved in the operation and use 
of the INR system. We hope to take advantage of 
developments in computer assisted instruction and 
other technologies to assure that relevant and 
interesting materials are presented to INR 
employees . 
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I believe that all of these projects can be 
accomplished for approximately one milli on dollars . The 
Department proposes to use the remaining to 

conduct a counterintelligence vulnerability analysis of 
the information contained in the data files of the Paris 
Regional Administrative Management Center. This facility 
provides payroll, disbursing and allotment accounting 
services to most civilian elements of the US Government 
located in 97 countries in Europe, the Middle East, and 
Africa. This facility is staffed by approximately 6 
Americans and 150 Foreign Service Nationals (FSNs). These 
FSNs occupy all of the critical data processing positions 
- operations director, systems and application programmer, 
equipment operators, and media librarian. The basic 
question that this study would seek to address is whether 
or not there is any information processed at this facility 
which by itself or in the aggregate is of value to a 
hostile intelligence service. The automation of this 
basic information from 97 US embassies and consulates 

facilitates t he task of analyzing this mass of 

information. 



deserves your support as part of the COMPUSEC project. 
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ALLOCATION OF FY-86 COMPUSEC RESOURCES 


1. Disconnect of INR and IBM systein-(will be accomplished 

with available FY-SS funds) 

2, Security Upgrade of INR Central Processing Units 


3. Contractor Assistance required to complete 1986 & 1987 
Security Re-acreditations of the INR Computer System 


4. Security Upgrades to the Computer Facility Housing 

the INR Systems 

5. Development of Short and Long Term Security Plans 


6. Enhanced Security Management of the INR Computer 

System and Computer Facility. (Will only require 
additional personal resources) 

7. Microcomputer Security Enhancement Devices 

8. Security Education Module 

9. RAMC Analysis Project 


600,000 


100,000 

125,000 

75,000 


25.000 

75.000 
300,000 


Total 1,300,000 
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